Cyberpeace Foundation and Autobot Infosec have studied two incidents of hackers targeting State Bank of India (SBI) customers. They are targeting customers through phishing campaigns, asking them to update their KYC, and duping innocent customers. Here are the ways you can avoid falling for the scams.
The hackers are cheating customers in two ways. Both methods rely on fake/ phishing websites that closely resemble SBI’s official website and capture sensitive financial/ personal information of the customers. These fake websites, the researchers say, are registered in China. The hackers try to get as much financial information as possible which allows them to siphon money from a customer’s bank account.
In the first method, they send a text message to a customer’s mobile number and request for KYC verification. The message contains a link, which leads the customers to a fake website that closely resembles the SBI’s official website. The website asks the customer to click on the “Continue to Login” button. Once a customer clicks on the link, the webpage directs him to “full-kyc.php” page- asking the customer to enter sensitive personal data such as username and password. Thereafter, the webpage redirects the customer to an OTP page. Once the customer enters the OTP, the webpage again redirects him to another page, which asks for further information such as account holder name, mobile number, date of birth. After entering the data, the webpage directs the customer to another OTP page.
In the second method, the hackers send a WhatsApp text with an SBI image to customers. The message allures users to participate in a quick survey to receive a free gift of Rs. 50 lakh from the SBI.
A similar campaign was also reported in March this year.
How to stay safe?
First things first: NEVER CLICK ON ANY UNSOLICITED LINK that you receive through an unsolicited email/ message/ documents. It’s human nature to be curious, but you are better off without clicking on such links in this case. And don’t even bother entering your data, hackers know multiple ways to misuse them.
The second important piece of advice: ALWAYS KEEP AN EYE ON THE URL (LINK). In this case, the hackers are using fake websites, but with a different URL. The official SBI URL is www.onlinesbi.com. If you carefully look at the link of the fake website, it would be different. By the way, if you think fake websites won’t be able to fool you, have a look here.
The third important piece of advice: If it promises a gift, a prize, a job offer, a lottery- it’s a scam. Remember, if it’s too good to be true, it is not true.
For a more in-depth understanding of phishing campaigns, you may access this resource. If unfortunately, you have fallen for such a scam, you can call 155260 for help. If you don’t receive help there, this guide will definitely help you.